Introduction to Bind Rules

The location from which an entity must bind. The location
from which a user authenticates can be spoofed and cannot be trusted. Do not
base ACIs on this information alone.

The time or day on which binding must occur.

The type of authentication that must be in use during binding.

A simple bind rule might require a person accessing the directory to
belong to a specific group. A complex bind rule can require a person to belong
to a specific group and to log in from a machine with a specific IP address,
between 8 am and 5 pm. Additionally, bind rules can be complex constructions
that combine these criteria by using Boolean operators.

The server evaluates the logical expressions used in ACIs according
to a three-valued logic, similar to the one used to evaluate LDAP filters,
as described in section 4.5.1.7 of RFC 4511 Lightweight Directory
Access Protocol (v3). Therefore, if any component in the expression
evaluates to Undefined (for example if the evaluation of the expression aborted
due to a resource limitation), then the server handles this case correctly.
The server does not erroneously grant access because an Undefined value occurred
in a complex Boolean expression.